Unified Connector Framework (UCF) layer to allow more provisioning frameworks in the future

Automatic generation and caching of resource schema from the connector

Local connector discovery

Support for connector hosts and remote connectors

Identity repository based on BaseX XML database

Live synchronization

Reconciliation (no GUI support yet)

Advanced RBAC support and flexible account assignments

Expressions in the roles

Hierarchical roles

Parametric roles (including ability to assign the same role several times with different parameters)

Support for XPath version 2 expressions

Enhanced logging and error reporting

Basic task manager component

Basic auditing

Lightweight structure

Support for Apache Tomcat web container

Import from file and resource

Object schema validation during import (can be switched off)

Smart references between objects based on search filters

Changes

When compared to the previous version, Phoebe is introducing following changes:

Provisioning model fully based on relative changes

Advanced Role-based access control (RBAC)

Expressions in the roles

Hierarchical roles

Parametric roles (including ability to assign the same role several times with different parameters)

Reconciliation mechanisms

Synchronization and reconciliation were reworked to streamline configuration while allowing more options to be set

Basic auditing implementation allow auditing changes to a (log) file

Basic features that will enable asynchronous processes in near future (e.g. workflow approvals) (alpha quality)

Further testing and codebase stabilization

Quality

Release 1.10 (Phoebe) is intended for production use in less demanding environments. Most of the features are stable and well tested, however the production experience with the product is limited. In case of production deployment we suggest caution and proper deployment procedures (test, pilot, roll-out).

Goal Change Justification

The original goal of the Phoebe release was to reach production quality system and mark the milestone with "2.0" version number. The plan was to use Oracle database XML functionality. However, we have reconsidered this goal for several reasons. First being the deficiencies of XML as a data representation. While we have been aware of them, we haven't suspected that they will be such a serious impact on the system. Therefore the plan to use Oracle XML database was changed to support of generic relational database layer. However, to support the relational mapping efficiently we needed to improve the schema processing routines in midPoint. While that was partially done in Phoebe some details still needs to be done. The "plan B" with the BaseX XML database partially failed as well. The database cannot efficiently scale to more than approx. 5000 entries. This is sufficient for demo, PoC and very small deployments (up to approx. 500-1000 users). But it is definitely not the "production ready" quality that we were looking for. Unlike other vendors we have chosen not to pretend the quality that we don't have.

We have decided not to postpone Phoebe any further and to release it as midPoint version 1.10 (instead of 2.0). Despite the facts stated above the overall quality of the release is good. We would like to encourage community to try Phoebe even for pre-production purposes to gain experience and gather feedback.

During the next release (Rhea) we will concentrate effort to address the remaining issues and we are confident that Rhea will bring a production-quality system. Rhea will also come with a new user interface, therefore we hope that it will be worthy of the 2.0 version demarcation.

Background

midPoint is roughly based on OpenIDM version 1. When compared to OpenIDM v1, midPoint code was made significantly "lighter", removing some of the "dead meat" that accumulated over the year of hectic OpenIDM development. The code was also stabilized, the tests were fixed and the complete development process was brought back to a reasonable shape. The most significant changes are with regard to OpenIDM trunk in early 2011:

Removed OpenESB: OpenESB is a dead project and the hope of reviving it is very low. OpenESB was slowing down OpenIDM development from the very beginning. This does not mean that midPoint cannot be used in "ESB" environment. Just the approach was changed to decouple these technologies. midPoint is provided in a for of simple Java web application (WAR) based on Spring.

Removed Glassfish dependency: midPoint is no longer dependent on a specific application server. The primary development and testing platform is now Apache Tomcat.

Simplified build: The build system was completely revamped. The new build system is much simpler and based on a "pure" maven without any hacks.

Fixed unit tests: The unit tests were reviewed, deprecated unit tests were removed and the tests that are still needed were fixed. The tests would deserve better cleanup, but they are all passing now. And that's how it shall remain from this point on.

Architecture update: New wiki was created with an up-to-date information on current midPoint implementation and also the design. The UML models were updated as well, removing unnecessary components exactly as it happened in the code.

Refactoring of vital components: IDM Model, provisioning and repository were significantly refactored for a better code structure and improved readability.

Improved GUI: The GUI has been improved for usability.

Error reporting: Errors are displayed more sophisticated composite result GUI.

Logging: Logging subsystem was switched to logback, has support for MDC-based subsystem marking, the log messages were cleaned up.

Resource Schema: Resource schema is automatically generated.

Connector and Connector Host: Connectors are described by repository objects, including generated connector schema. Connector hosts are supported.

Known Issues

Sometimes it can happen if you have long time no-activity in GUI after re-login can show you screen on which it is "<partial-response> ... </ partial-response>" and the page is not displayed. This problem is solved refresh the page.

Before importing users from resource, you need to delete the previous import task for the same resource if it exists.

User is sometimes redirected to a wrong UI after login. E.g. logging in to admin GUI will result in user being logged to user GUI. MID-556

Phantom errors may appear in the import tasks if any of the configured resource are not reachable or misconfigured.